INTERNAL OVERSIGHT SERVICE (IOS): ANNUAL REPORT 2015 SUMMARY

Transcription

1 Executive Board Hundred and ninety-ninth session 199 EX/16 PARIS, 22 February 2016 Original: English Item 16 of the provisional agenda INTERNAL OVERSIGHT SERVICE (IOS): ANNUAL REPORT 2015 SUMMARY The annual report of the Internal Oversight Service (IOS) is submitted pursuant to a standing request by the Executive Board (160 EX/Decision 6.5 and 164 EX/Decision 6.10). It sets out the key achievements of IOS for the concerned year. The following items are attached as annexes to this report: audits completed in 2015 (Annex I), the audit and evaluation workplans for 2016 (Annex II), the internal audit charter and policy (Annex III), as well as a summary of findings from JIU reports issued in 2015 of interest to UNESCO (Annex IV), and the Synthetic Review of Existing UNESCO Evaluations (Annex V). The annual report of the Oversight Advisory Committee to the Director-General is presented as 199 EX/16.INF. All financial and administrative implications of the reported activities fall within the parameters of the current C/5 document. Action expected of the Executive Board: Proposed decision in paragraph 36.

2 INTRODUCTION 1. The annual report informs the Executive Board of key activities of the Internal Oversight Service (IOS) for 2015 and its work programme for The report of the Oversight Advisory Committee to the Director-General whose terms of reference call for it to be shared with the Executive Board is contained in 199 EX/16.INF. OVERVIEW 2. IOS provides a consolidated oversight mechanism covering the functions described below: Table 1: Main functions of IOS Internal audit Audits assess selected operations of Headquarters, field offices and information technology systems and make recommendations to improve the Organization s administration, management control and programme delivery. Evaluation Evaluations assess the relevance, efficiency, effectiveness, impact and sustainability of programmes, projects and operations as well as their coherence, connectedness and coverage. Investigation Investigation assesses allegations of misconduct and irregularities (e.g. fraud, abuse of assets, or harassment). It is the sole unit responsible for investigating misconduct. Advisory role Advisory services are rendered to senior management upon request ranging from organizational advice to operational guidance. 3. IOS adheres to international professional standards1 for the conduct of its internal audits, evaluations and investigations. This includes continued reinforcement of its quality assurance processes through the advice of the Oversight Advisory Committee, by commissioning external quality assurance reviews of the audit and evaluation functions, and requiring all staff to be professionally certified in their field, in addition to their academic credentials. 4. Professionals in audit, evaluation and investigations are actively engaged in a number of United Nations system-wide fora, including the Representatives of Internal Audit Services of the United Nations Organizations and Multilateral Financial Institutions (RIAS); the United Nations Evaluation Group (UNEG); and the United Nations Representatives of Investigations Services (UNRIS). 5. IOS is part of a broader oversight mechanism for UNESCO which includes the External Auditor, whose reports are presented directly to the Executive Board, and the Joint Inspection Unit (JIU) whose reports are available at BUDGET AND FUNDING 6. The activity budget for IOS remains substantially lower than before the budget shortfall in Notwithstanding a range of cost-savings measures have been introduced, this has still resulted in increasing lapses in field office coverage and assurance on IT risks by the internal audit section. Extrabudgetary contributions for specific evaluations have enabled the evaluation section to evaluate a number of important programmes that could not have been fully evaluated otherwise. 1 Audits follow the International Standards for the Professional Practice of Internal Auditing; investigations, the Uniform Guidelines for Investigations; and evaluations, the Norms and Standards for Evaluation in the United Nations System.

3 page 2 IOS operates with 18 staff 2 (16 P and two G) in comparison of 23 staff (20 P and three G) prior to the crisis. IOS has transferred one post from internal audit to investigations effective in 2016 in order to strengthen fraud awareness, proactive fraud monitoring and to further reduce the open caseload. Table 2: IOS budget evolution Source: (*) FABS Regular Programme Budget and (**) C/5 Expenditure Plans INTERNAL AUDIT 7. In the course of 2015, the Internal Audit updated the IOS Internal Audit Charter and Policy which is attached in Annex III. 8. IOS audits assess the functioning of internal controls, the efficiency and effectiveness of operations and the reliability of management information. During the year, IOS performed audits covering a range of business processes and UNESCO entities. The biennial audit plan comprising 25 audits was achieved except for two planned audits that were still underway at the end of Four substitutions were made in the plan during the biennium to address emerging needs. The principal audits completed are summarized in Annex I and more information on the results of these audits is available on the IOS website at The audits performed were determined by a risk-based plan and provide a limited assurance on UNESCO s overall risk management and control. 9. Internal audits completed during 2015 and the follow-up on recommendations from prior audits showed some improvements as well as emerging risks, none of which, in our opinion, comprise material weakness in the overall system of controls. The principal areas where internal controls have required close attention are outlined below: 10. Enterprise risk management: An effective risk management framework should provide an end-to-end link between objectives, strategy, execution of strategy, risks, controls and assurance across all levels in an Organization. UNESCO introduced risk management in 2008 through (i) a systematic exercise to identify and assess the top corporate risks facing the Organization and (ii) establishment of a Risk Management Committee to inter alia formulate and monitor mitigation plans for these risks and to update the risk assessment semi-annually. Progress was achieved, 2 Two vacant posts will be filled in early 2016.

4 page 3 including introduction of a risk management handbook and training as well as periodic reassessment of risks including efforts at field offices. Upon recommendation of the Oversight Advisory Committee, the Director-General has given renewed emphasis to advancing risk management including the recent reformulation of the Risk Management Committee with new terms of reference in IOS is completing an advisory engagement to improve the framework for identifying, assessing and mitigating risks as well as for articulating risk appetite and better mainstreaming the process for identifying emerging risks. Once at a more mature level, the risk management framework will also support the provision by IOS of reasonable assurance on UNESCO s overall risk management and control. 11. Programme management: The introduction of new programme reporting modalities (i.e. the Programme Implementation Report and Strategic Results Report) is expected to progressively improve information for decision-making; this should be accompanied by initiatives to strengthen the culture, competencies and mechanisms for both results monitoring and implementation monitoring of the programme. With regard to the field network, UNESCO Country Programming Documents (UCPDs) were introduced in 2007 to highlight in a comprehensive manner UNESCO s contribution to Member States development efforts. As a number of these UCPDs are now obsolete, and there are important gaps in coverage, the purpose, form, content and periodicity need to be reassessed to ensure their relevance and coherence. UNESCO s framework for engaging with Implementing Partners has several areas requiring improvement in order to better ensure accountabilities and manage performance and financial risks to UNESCO. These were presented in the 2014 IOS Audit of Value for Money in Contracting with management s action plans on the recommendations still under way. 12. Human resources: Actions are also under way to decrease the time that it takes to recruit staff at the Professional level and above. These include (i) better planning to initiate the recruitment early, (ii) shorter and concurrent internal and external advertising and (iii) continued progress in transitioning applicable posts from unique to more generic job descriptions. As planned by HRM, a new performance management system has been implemented since the prior IOS audit in 2013 and sustained attention will be needed to ensure effective appraisals and development of staff. 13. Financial control: IOS analyses during 2015 showed that the segregation of incompatible duties, particularly between the certifying and approving roles, is effectively in place across the Organization. With regard to the competitive selection of contractors/vendors, both training and monitoring by the Bureau of Financial Management were ongoing during the year to strengthen this aspect of UNESCO s contracting practices. IOS continued to support this priority. The number of vacant Administrative Officer posts in the field network remained high during 2015 and continued effort is needed to ensure effective interim control in these offices and to reduce the number of vacancies. Additional appropriations have been a growing source of funding to UNESCO. IOS risk assessment of the control of such contributions showed opportunity to clarify certain accountabilities for these funds. Procedures were revised accordingly during 2015 and will continue to be monitored. 14. Resource mobilization: An IOS audit of resource mobilization during the year recommended that the strategic importance of this issue be elevated with clear leadership and responsibility to deliver on resource mobilization plans. In this regard, addressing information gaps and establishing better performance metrics will improve the management of resource mobilization efforts. Synergies should be increased between communication plans and resource mobilization plans, such as through targeted messaging to potential donors as part of UNESCO s communications and better communicating programme successes. In addition to BSP/CFS s training now on offer to Sectors and field offices, priority should be given to investment in skills development and a management system for constituency relationships. 15. Information technology: Audits of information technology risks have been reduced since 2011 due to budget constraints. IOS audits during 2015 routinely examined the relevant access and information security controls leading to recommendations for improvement where non-

5 page 4 compliance or control weaknesses were noted. It is important to note that implementation of improved IT governance in recent years has led to better prioritized acquisition and development including current planning for a SAP redesign to upgrade the system to better meet business needs. With regard to business continuity and disaster recovery planning, the IT aspects are progressing and planning now needs to be expanded beyond the technology aspects. 16. In 2013, the Executive Board invited IOS to specifically include multilingualism in the scope of its individual audits (191 EX/Decision 22.5). In the 2015, IOS raised the issue of multilingualism during the audit of a category 1 institute in order for it to more effectively achieve its regional objectives. EVALUATION 17. In April 2015, the Executive Board endorsed a new Evaluation Policy for UNESCO. Over the course of the year, IOS elaborated an Evaluation Strategy to provide a sound framework for strengthening the evaluation function across UNESCO. Moreover, the strategy seeks to position evaluation as a strategic management tool to ensure wider use of evaluation findings to improve decision-making and to promote organizational learning and accountability. 18. Significant efforts are needed to strengthen the decentralized evaluation function i.e. evaluations which are managed by UNESCO staff outside of IOS. The synthetic review 3 of decentralized evaluations done over the past year (see Annex V) showed that the quality of these evaluations remained poor, especially when it came to providing evidence on effects (outcome or impact) of programmes. A sustained effort will be needed to ensure better and more useful decentralized evaluations that inform organization-wide learning and accountability. The Evaluation Strategy therefore foresees the development of an evaluation focal point network, the implementation of an evaluation management training programme, and the upgrading of evaluation guidance materials. Periodic meta-evaluations of completed decentralized evaluations will be undertaken to track improvements but also to inform organizational results-reporting and learning. These activities can only be marginally funded from the existing IOS budget. IOS seeks to mobilize additional extrabudgetary resources to ensure successful implementation of the Strategy. 19. One of the key challenges facing the decentralized evaluation system is the low level of investment to conduct quality decentralized evaluations. The table below illustrated the overall situation at the end of the biennium. The UNESCO Evaluation Policy establishes a target of 3% of programme expenditure as the recommended minimum level of investment in evaluation. The ongoing IOS synthesis review of completed evaluations compiled approximately 30 decentralized evaluations of extrabudgetary programmes over the period. The investments in decentralized evaluations as presented in the table are therefore best estimates. 4 These figures would likely be revised upwards as decentralized evaluation planning and monitoring improve in the 38 C/5 period. 3 4 The study consists of two parts: a meta-evaluation is being conducted to assess the quality of reports on the basis of a simple framework of (minimum) quality parameters; and, a synthetic review exercise is to identify and synthesize information on relevance and effectiveness of UNESCO s areas of work as well as cross-cutting challenges. This is expected to complement the first ever Strategic Results Report 199 EX/4 Part I that is being presented to the 199th session of the Executive Board. As per the evaluation policy the target for extrabudgetary funding also includes funding for M&E. This is not reflected in this figure do to absence of systematic data collection.

6 page 5 Table 3: Three percent target vs actual investment for evaluation resources ( ) Regular Programme Extrabudgetary Programme (Decentralized) Target of 3% 5 Actual investment 6 Target of 3% 7 Actual investment 8 $5,000,000 $2,850,000 (1.7%) $8,500,000 $1,750,000 (0.6%) 20. On 30 September 2015, IOS (UNESCO) in collaboration with the OECD and the French and European Evaluation Societies organized a one-day international conference: Making Effective Use of Evaluations in an Increasingly Complex World. The conference brought together decision makers and evaluators to discuss evaluation use. The conference was attended by approximately 200 people and was part of the 2015 International Year of Evaluation. 21. The IOS Evaluation Section has been a co-convener of the UNEG working group on Norms & Standards in Evaluation. Revised Norms & Standards for evaluation in the United Nations system are expected to be presented at the UNEG Annual General Meeting in April Several key evaluation activities have contributed to the improvement of, inter alia, the following reform efforts, strategies and policies in UNESCO over the past year: The implementation of recommendations of the Evaluations of UNESCO s standardsetting work of the Culture Sector has continued to lead to a number of important developments. The Secretariat of the 1970 Convention has implemented a comprehensive capacity-development and awareness-raising strategy. A results framework is being prepared for the 2005 Convention and forms the basis of the global Report that monitors its implementation. A Knowledge Management System is also being developed for the 2005 Convention to promote good implementation practices at the national level. Several measures have also been taken by the UNESCO Secretariat to create opportunities for joint thinking, exchange of experiences, cooperation and synergies between the Culture Conventions. These include the establishment of a Cultural Conventions Liaison Group and of a Common Services Platform within the Culture Sector and the meeting of the Chairs of the six Culture Conventions to discuss ways of working together more effectively. Following the Lessons Learned from UNESCO s Field Reform in Africa, the Director- General established the Division of Field Support and Coordination that is responsible for the overall management of UNESCO s field network and is to act as a platform for field management, support and coordination. This division will lead the preparation of an Action Plan to address the key challenges identified in the evaluation report. The Evaluation of Technical and Vocational Education and Training has served as valuable input into the Organization s new Strategy for TVET for that is being presented to the 199th session of the Executive Board. (See document 199 EX/6). 23. IOS also continued to provide backstopping and quality assurance to selected decentralized evaluations managed by sectors, offices and bureaus. Furthermore, over the course of 2015 IOS provided a number of evaluation trainings to colleagues in the field and held workshops with programme managers on the development of intervention logics for the International Oceanographic Commission, the Man and the Biosphere Programme and the UNESCO Water Family. Summaries of evaluations completed in 2015 are provided in document 197EX/5 Part III, The figure represents 3% of the operational budget of the 37 C/5 approved addendum $507M expenditure plan. Of which $2M are IOS staff costs. The figure represents 3% of the estimated operational budget expenditure for the 37 C/5 biennium. Estimate for actual extrabudgetary investment is based on 50 total completed evaluations at average cost of $35,000.

7 page 6 while the full reports are publicly available on the IOS website in English and French. The provisional evaluation work programme for 2016 is presented in Annex II. RECOMMENDATION FOLLOW-UP 24. IOS formulates recommendations to assist UNESCO in meeting its strategic objectives, to improve the Organization s programme delivery, efficiencies and controls and to inform strategic decisions and to improve programme delivery, controls and efficiencies. IOS systematically follows up on the implementation of both internal audit and evaluation recommendations. In 2015, IOS continued its emphasis on the implementation of recommendations by engaging in discussions and formulating action plans as reports are finalized and then periodically following up on the status and effectiveness of these action plans. IOS brings overdue recommendations to the attention of the Senior Management Team for action. 25. As of 31 December 2015, there were 141 open recommendations by internal audit, an increase from the 128 open recommendations at the beginning of the year. During 2015, 81 new audit recommendations were made and 68 recommendations were closed (of which 82 percent were fully implemented). Figure 1: Internal audit recommendations status as of December With regard to evaluation, as of 31 December 2015, there were 69 open recommendations, a decreased compared to 99 open recommendations a year earlier. During 2015, 20 new evaluation recommendations were made and 50 were closed. The figure below shows the implementation of recommendations for reports issued during Figure 2: Implementation of evaluation recommendations INVESTIGATION 27. IOS is responsible for investigating allegations of corruption, fraud, waste, abuse of authority and other misconduct by UNESCO staff or third parties including consultants. Allegations are subject to a preliminary assessment to establish whether they are specific, credible, material and verifiable. In case of harassment, the Ethics Office undertakes this preliminary assessment. Where the screening indicates misconduct, the matter is formally investigated by IOS. In cases where the investigation concludes that misconduct occurred, disciplinary measures are proposed by HRM to the Director-General. 28. In 2015, IOS received 27 new allegations and 23 allegations were closed this included 15 cases remaining from Forty-nine percent of the cases opened in 2015 were at Headquarters

8 page 7 and 51% in field operations. IOS issued nine investigation reports during the year, all conforming to the Professional Standards and in line with UNESCO s disciplinary procedures. As a comparison, in 2014 IOS issued 13 investigation reports. Table 4: Caseload of the Investigation Section Year New allegations Allegations closed Of which resulting in disciplinary actions of which, staff separations Caseload as of 31 Dec Of the 23 allegations closed in 2015, the allegation was confirmed in over one third of all cases while another one third was referred for action to appropriate services (e.g. Ethics, HRM, Supervisors, etc.). In 22% of the cases the allegation did not result in an investigation as it could not be substantiated. Figure 3: Closures of allegations in Most of the allegations received in 2015 involved misuse of resources or inappropriate conduct on part of UNESCO s personnel. Duration of investigations conducted by IOS depends on the nature of the allegations, the required investigative steps and resources. In 2015, the average duration of investigations was 4.9 months. As a comparison, average duration of investigations in 2014 was 4.1 months. Figure 5: Nature of allegations received (2013 to 2015) 9 A complaint may contain several allegations or may pertain to different individuals, thus lead to several reports as appropriate.

9 page Between 2013 and 2015, IOS investigations that involved fraud and financial irregularities resulted in the recovery of substantiated losses in all cases. To date $208,124 has been recovered during that period. ADVISORY ROLE 32. IOS advisory work is performed at the request of the Director-General and senior management. During the year, IOS advised on a range of issues, inter alia advising on the potential integration of two central service functions, undertaking an impact analysis regarding the Organization s travel policy and advising on the Fit-for-Purpose initiative and the Invest for Efficient Delivery Fund. IOS also updated a key analysis contained in the 2014 Audit of Value for Money in Contracting for BFM to disseminate and completed analytics and issued management letters of compliance with key internal controls across the organization. As part of an initiative to improve assurance on higher risk projects implemented through partners, IOS developed terms of reference, advised and quality assured a contracted audit of costs incurred by the partner. This initiative will continue to be expanded. IOS also participates in a range of UNESCO initiatives, committees and working groups to improve contracting, knowledge management and ICT, investment oversight, SAP redesign and engages in inter-agency United Nations bodies on oversight. OVERSIGHT ADVISORY COMMITTEE 33. IOS functions as the secretariat for the Oversight Advisory Committee (OAC), a standing committee established at the 35th session of the General Conference (35 C/Resolution 101). Its main purpose is to advise the Director-General on the proper functioning of oversight, risk management and control and to inform the Executive Board through the submission of its annual report which is presented as 199 EX/16.INF. The OAC s terms of reference were updated at the 38th session of the General Conference (38 C/Resolution 102) and will be further reviewed at the 200th session of the Executive Board. The OAC is currently comprised of four external independent members, with a fifth to be added per the recently revised terms of reference. In 2015 the OAC met three times. JOINT INSPECTION UNIT 34. IOS serves as UNESCO s focal point and follows up on recommendations of the JIU that are relevant to UNESCO. Information on JIU recommendations is available on the IOS website at During the past year 35 new recommendations were directed to UNESCO and 39 were closed. UNESCO s implementation rate of JIU recommendations issued between 2010 and 2014 stands at 83%. Summary of findings from JIU reports issued in 2015 of interest to UNESCO, and progress status of JIU recommendations are available in Annex IV. LOOKING FORWARD 35. The IOS work programme for 2016 (see Annex II) focuses on effective programme design, implementation and monitoring of results. The Evaluation Section will focus on a number of assignments in the field of education, and the Internal Audit Section will put emphasis on programme management, IT security, enterprise risk management and financial control. The Investigation Section will undertake an Organization-wide fraud risk assessment and fraud awareness programme. The evaluation work programme was developed taking into account the need to provide evaluation coverage of key organizational programme priorities e.g. youth, freedom of expression, science, technology and innovation policy. The internal audit work programme for was developed based a risk assessment taking into consideration

10 page 9 internal and external factors. Both programmes include activities that are subject to the availability of additional resources. Proposed decision 36. The Executive Board may wish to adopt a decision along the following lines: The Executive Board, 1. Recalling 160 EX/Decision 6.5 and 164 EX/Decision 6.10, 2. Having examined document 199 EX/16, 3. Welcomes the role of the Internal Oversight Service in the functioning of the Organization; 6. Welcomes the recommendations contained in the report of the Oversight Advisory Committee, and requests the Director-General to ensure their full implementation; 7. Welcomes the revised charter/policy on the role and mandate of the internal audit service; 8. Requests the Director-General to continue her efforts to ensure that all Internal Oversight Service recommendations are fully implemented within a reasonable time frame; 9. Requests the Director-General to continue to maintain an effective oversight function as set forth in the respective revised IOS internal audit and evaluation policies and to report annually on Internal Oversight Service strategies and activities, significant oversight recommendations and their impact, as well as actions taken by the Director- General to address and implement these recommendations.

11 Annex I ANNEX I AUDITS COMPLETED IN 2015 PRINCIPAL AUDITS COMPLETED Audit of UNESCO s Resource Mobilization Strategy and Framework This audit assessed the design and operation of UNESCO s resource mobilization strategy and framework. Extrabudgetary resources form a major share of UNESCO s budget, exceeding the regular programme in The scope and range of UNESCO s donors is noteworthy, comprising a diversified donor network that funds a variety of programmes, largely implemented in the field. Nevertheless, three to four percent of UNESCO s donors provide 60 to 70% of UNESCO s voluntary contributions. To ensure sustainable and flexible funding UNESCO should, like a number of other United Nations organizations, engage with member states at a strategic level through structured financing dialogues and give priority to further reaching out to potential new donors such as middle-income countries, foundations and the private sector. The audit also recommends a number of actions to improve the efficiency and effectiveness of UNESCO s resource mobilization efforts. For example, the Complementary Additional Programme can be more focused by better aligning the numerous resource mobilization plans and strategies across the Organization. The strategic importance of resource mobilization should be elevated and clear leadership and responsibility to deliver on resource mobilization plans should be established. In this regard, addressing information gaps and establishing performance metrics will improve the management of resource mobilization efforts. Increased synergies between communication and resource mobilization plans can be achieved through targeted messaging to potential donors as part of UNESCO s communications and showcasing UNESCO s brand on its website and social media. In addition to BSP/CFS s training now on offer to Sectors and field offices, investment in skills development and a management system for constituency relationships will improve engagement with donors. Audit of the Natural Science Sector The audit examined the activities of the Natural Sciences Sector to provide assurance that the Sector plans, implements and reports on its programmes and projects in accordance with UNESCO s guidelines and policies, sectorial priorities, as well as the guidelines mandated by the various related governing bodies. While the Major Programme of Natural Sciences includes the International Oceanographic Committee (IOC), given the separate structure and leadership, the scope of this audit did not include IOC. The audit concluded that the financial and administrative controls in the Sector were generally in place and effective. However, the Sector faces challenges relating to programme prioritization, accountability for programme delivery, decentralization to field offices, engagement with category 1 and 2 institutes and RP staff cost recovery for the management of extrabudgetary projects. Audit of UNESCO s Recruitment Process for International Staff UNESCO s recruitment procedures are designed to identify and appoint high quality staff while also achieving wide geographical representation and gender balance in the Secretariat. For purposes of this audit, IOS examined all recruitments completed in 2014 and From a compliance perspective, these generally conformed to the established procedures. However, the procedures are characterized by sequential steps often involving a pre-selection committee, an evaluation panel and an advisory board resulting in a lengthy process with considerable investment of staff time. While certain efficiencies have been successfully introduced, the Organization has had little success in accelerating time lapsed from initiation to appointment. Advisory Engagement on the Integration of the Sector for External Relations and Public Information (ERI) with the Bureau for the Management of Support Services (MSS) This engagement comprised (i) proposing a structured approach towards formulating and implementing the integration, (ii) updating data collected from the 2013 IOS streamlining review of MSS and collecting additional information on ERI structures, business processes, performance indicators and costs, (iii) gathering information on good practices in other organizations and (iv) developing options on how to strengthen service delivery and improve economies within an integrated structure. IOS presented three options for a combined structure to a senior-level task force for consideration. The task force endorsed a modified option combining attributes presented by IOS for recommendation to the Director-General.

12 Annex I page 2 Risk Assessment of the UNESCO IHE Water Institute This category 1 science institute has faced major challenges due to the complex governance arrangement and the role of the local Foundation which provides administrative support to the Institute. Many of the requirements as laid out in the Financial Regulation governing the Institute were not complied with. After prolonged discussions, slow progress and inconsistent interpretations of the roles of UNESCO, the Institute and the local Foundation, matters reached a critical point where the Foundation, among other measures, removed UNESCO s signatory authority over the Institute s contracts. To support a common understanding on the way forward, IOS conducted a risk assessment to frame the specific challenges from UNESCO s perspective for joint resolution with the Institute and the Foundation. This contributed to the workplan of a senior-level change manager appointed by the host government to facilitate a workable solution to past challenges. Audits of Field Offices IOS issued six audit reports of field offices during the year and completed field work on two others. These generally showed effective financial and administrative control, with the most common areas for improvement being contracting and travel management. From a programmatic standpoint, there were generally notable accomplishments in the locations audited, but there was often inconsistent engagement at the national level by the cluster offices. For one national office that maintained an antenna office, the audit noted that insufficient oversight of the antenna led to a range of operational and security risks. Maintaining current and relevant UNESCO Country Programming Documents was a recurring challenge, with lack of resources or other specific challenges cited by the responsible managers. In instances where there were prolonged gaps in key positions, the importance of succession planning was highlighted as well as the common perception that these were attributed to lack of resources and lengthy recruitment processes. Resource mobilization efforts varied among the offices, and the audits noted that better planning would support these efforts.

13 Annex II ANNEX II INDICATIVE WORK PROGRAMMES INTERNAL AUDIT PLAN 2016/2017 Audit Universe Audits to be Performed Year Headquarters Audits Programme & Project Management: Category 2 institutes/centres 2016 Social and Human Sciences Sector 2016 Status of RBB Project 2017 Cost Recovery 2017 Major Extrabudgetary Projects* Partnerships: Compliance with Donor Agreements 2016 IATI Implementation 2017 Administration and Services: Travel Management 2016 Field Security 2016 Management Committees 2017 Management of Fixed Assets 2017 Risk Management Framework 2016 Publications & Printed Material 2016 Conferences & Events Management 2017 Post Reclassification Process* 2016 Translation Services* 2017 IT Audits IT Security 2016 Advisory Work Data Analytics and Control Monitoring 2016 IT Acquisition and Development 2017 Data Classification and Stewardship 2017 Lessons Learned from Implementation Challenges in Extrabudgetary Projects Field Audits Five Field Offices/Institutes** 2016 Other Activities 2016 Five Field Offices/Institutes** 2017 Internal audit also serves as focal point for the work of the Joint Inspection Unit and participates in a range of UNESCO initiatives, committees and working groups to improve contracting, knowledge management and ICT, investment oversight, SAP redesign and engages in inter-agency UN bodies on oversight. IOS also provides the secretariat for the Oversight Advisory Committee. * Only undertaken if additional funding can be secured ** Combination of full scope and remote audits, subject to resources

14 Annex II page 2 EVALUATION PLAN 2016 Evaluation Universe Engagements Status Programmes Education: Education for All Global and Regional Coordination Mechanisms UNESCO s role in education in emergencies and protracted crises UNESCO s standard-setting work related to the Regional Higher Education Recognition Conventions ASP Network Girls in Education In progress In progress In progress In progress Planned Natural Sciences: Science, Technology and Innovation (STI) Policy International Basic Sciences Programme Planned Planned Social and Human Sciences: Networks of Mediterranean Youth (NetMed) Planned Culture: Culture in Conflict Areas Planned Communication and Information: Freedom of Expression* Planned Decentralized Bodies UNESCO s field presence in Asia* Planned Quality Assurance and Support to Decentralized Evaluation System Statutory Reports Development of UNESCO decentralized evaluations focal point network * Advisory support to decentralized evaluations Synthetic review and meta-evaluation of completed evaluations IOS Annual Report and periodic report on evaluations completed Planned In progress In progress Planned * Engagement subject to resources as funding has not been secured

15 Annex III ANNEX III IOS INTERNAL AUDIT CHARTER AND POLICY INTRODUCTION This policy establishes the charter for the internal audit activity of UNESCO s Internal Oversight Service. It also sets forth the framework for ensuring a stronger and more integrated system of assurance on the adequacy and effectiveness of UNESCO s risk management and control. In this regard, independent assurance is routinely provided by the External Auditor, the Internal Oversight Service (IOS) and in specific areas by other assurance providers such as the Joint Inspection Unit (JIU) or the independent auditors of UNESCO s Implementation Partners. DEFINITION AND PURPOSE OF INTERNAL AUDITING Internal auditing is an independent and objective assurance and advisory activity performed by IOS that is guided by a philosophy of adding value to improve the operations of UNESCO. It assists UNESCO in accomplishing its objectives by bringing a systematic and disciplined approach to assess and improve the effectiveness of the Organization's risk management and internal control. ORGANIZATION The Director-General established IOS in accordance with UNESCO s Financial Regulations as a consolidated oversight mechanism which includes internal audit, evaluation and investigation. Within the financial control framework, IOS internal auditing is responsible for the review and assessment of the adequacy and effectiveness of the Organization s systems of internal control as part of the Organization s control monitoring. For this purpose, the Financial Regulations state that all systems, processes, operations, functions and activities within the Organization may be subject to such review, evaluation and monitoring. In providing advisory services, IOS seeks to add value by improving the Organization s operations and programme delivery. The General Conference established UNESCO s Oversight Advisory Committee as a standing committee 10 to advise the Director-General and the Executive Board on the proper functioning of oversight, risk management and control. 11 The Oversight Advisory Committee also advises the Director-General on the selection process of the Director of IOS, who performs the role of UNESCO s Chief Audit Executive. The Director-General appoints the Director of IOS in consultation with the Executive Board. 12 Director of IOS reports to and is accountable to the Director-General and has a functional reporting line to the Oversight Advisory Committee. The Director of IOS is appointed for a non-renewable six year fixed term and is barred from re-entry to UNESCO thereafter. The Director of IOS presents to the Oversight Advisory Committee, the Director-General and the Executive Board: The internal audit charter Internal audit plans Internal audit budgets Annual reports on the internal audits programme of work Any instances where there is inappropriate scope or resource limitations C/Resolution C/ C/52.

16 Annex III page 2 AUTHORITY When conducting assignments, IOS personnel have the following authorities: Complete and unrestricted access to all records, documents, personnel and physical assets relevant to the subject under review at Headquarters and in UNESCO institutes, centres and the field; The right to communicate directly with all levels of staff and management; The right to request any staff member to furnish all information and explanations that IOS deems necessary; The right to determine scopes of work, apply techniques and allocate resources within budget authorities, including the engagement of specialized consultants; The right to access and audit vendor and partner records, personnel, documents and other information relevant to their activities with UNESCO, as established under the contractual terms and conditions. PROFESSIONALISM IOS carries out its internal audit activities in accordance with the International Standards for the Professional Practice of Internal Auditing, the Definition of Internal Auditing and the Code of Ethics of the Institute of Internal Auditors. These constitute the principles of the fundamental requirements for the professional practice of internal auditing and for assessing the effectiveness of the internal audit activity s performance. The Institute of Internal Auditors' Practice Advisories, Practice Guides, and Position Papers will also be adhered to as applicable to guide operations. In addition, IOS will adhere to UNESCO s relevant policies and procedures including the internal audit manual. INDEPENDENCE AND OBJECTIVITY IOS operates independently and free from interference from other parts of the Organization. This includes matters of internal audit selection, scope, procedures, frequency, timing or report content in order to permit maintenance of necessary independence and objectivity. Apart from providing advice, IOS is not involved in the management of any programmes, operations or functions. Accordingly, internal auditors will have no direct operational responsibility or authority over any of the activities audited; they will not implement internal controls, develop procedures, install systems, prepare records or engage in any other activity that may impair the internal auditors judgment. Internal auditors are to exhibit the highest level of professional objectivity in gathering, evaluating and communicating information about the activity or process being examined. In this regard, they are to make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments. The Director of IOS will inform the Executive Board and the Oversight Advisory Committee, at least annually, on the organizational independence of IOS including its internal audit activities. The Director-General ensures that IOS is provided with the necessary resources in terms of appropriate staffing, adequate funds and appropriate training to fulfil its mission and maintain its independence. The Director of IOS will communicate and interact directly with the Oversight Advisory Committee, including in executive sessions. RESPONSIBILITY The Director of IOS is responsible for the work of IOS, including its internal audit activities. The scope of internal auditing encompasses, but is not limited to, the examination and assessment of the adequacy and effectiveness of the Organization s risk management and internal controls as well as the quality of performance in carrying out assigned responsibilities to achieve the Organization s stated goals and objectives. This includes: Assessing risk exposure relating to achievement of the organization s strategic objectives;

17 Annex III page 3 Assessing the reliability and integrity of information and the means used to identify, measure, classify and report such information; Assessing the systems established to ensure compliance with those policies, plans, procedures, laws and regulations which could have a significant impact on the Organization; Assessing the means of safeguarding assets and, as appropriate, verifying the existence of such assets; Assessing the effectiveness and efficiency with which resources are employed; Monitoring and assessing the effectiveness of the organization's risk management processes; Taking into account the work of the External Auditor and ensuring the coordination of coverage of internal audits; Providing advisory services related to risk management and control as appropriate for the Organization; Reporting periodically on the internal audit activity s purpose, authority, responsibility and performance relative to its plan; Reporting significant risk exposures and control issues, including fraud risks; Assessing specific operations at the request of the Director-General, as appropriate. INTERNAL AUDIT PLAN At least annually, the Director of IOS will submit to the Director-General and the Executive Board, after consultation with the Oversight Advisory Committee, an internal audit plan. The internal audit plan will consist of the audits planned as well as the impact of resource limitations. The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input of senior management and the relevant decisions of the Executive Board. The plan will be formulated taking into account the plans and engagements completed of the External Auditor and other assurance providers in order to ensure an integrated and efficient system of assurance. The Director of IOS will review and adjust the plan, as necessary, in response to changes in the Organization s operations, risks, programmes, systems and controls. Any significant deviation from the approved internal audit plan will be communicated to the Oversight Advisory Committee through periodic activity reports. REPORTING AND MONITORING A written report will be prepared and issued by the Director of IOS following the conclusion of each internal audit engagement and will be distributed as appropriate. Significant internal audit results will also be communicated to the Executive Board. The internal audit reports may include the views of management and the corrective actions taken or to be taken in regard to the specific findings and recommendations, as well as a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented. The Director of IOS is responsible for monitoring the implementation status of its recommendations and periodically reporting the status to the Director-General, with particular attention to timely communication of conditions resulting in high risk exposure. UNESCO management officials are responsible for considering internal audit reports issued to them for action, providing timely responses to IOS, and implementing the agreed action plans in response to findings and recommendations of the audit. Where management officials and IOS are unable to agree on action plans in response to internal audit reports, the matter will be communicated within the Secretariat hierarchy as appropriate for resolution. The Director of IOS will also periodically report to the Director-General, the Oversight Advisory Committee and the Executive Board on the internal audit activity s purpose, authority and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues.

18 Annex III page 4 QUALITY ASSURANCE AND IMPROVEMENT PROGRAM The IOS internal audit activity will maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The program will include an assessment of the internal audit activity s conformance with the Standards and other mandatory guidance and whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement. The Director of IOS will communicate to the Oversight Advisory Committee on the internal audit activity s quality assurance and improvement program and will share the results of quality assessments, conducted at least every five years, with the Director-General, the Oversight Advisory Committee and the Executive Board. Internal Audit Policy and Charter Approved this day of,. Director of the Internal Oversight Service Director-General

19 Annex III page 5 Add value ANNEX 1: GLOSSARY OF KEY TERMS The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of governance, risk management and control processes. Adequate control Present if management has planned and organized (designed) in a manner that provides reasonable assurance that the organization's risks have been managed effectively and that the organization's goals and objectives will be achieved efficiently and economically. Advisory services Client service activities, the nature and scope of which are agreed with the client, that are intended to add value and improve an organization's risk management and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation and training. Assurance services An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the organization. Examples may include financial, performance, compliance, system security and due diligence engagements. Executive Board The body charged with the responsibility to direct and/or oversee the activities and management of the organization. Charter The Internal Audit Charter is a formal document that defines the internal audit activity's purpose, authority, and responsibility. The Charter establishes the internal audit activity's position within the organization; authorizes access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Chief Audit Executive Chief Audit Executive (CAE) describes a person in a senior position responsible for effectively managing the internal audit activity in accordance with the Internal Audit Charter, the Code of Ethics and the Standards. The chief audit executive or others reporting to the chief audit executive will have appropriate professional certifications and qualifications. The Director of IOS is the CAE of UNESCO. Code of Ethics The Code of Ethics of The Institute of Internal Auditors are principles relevant to the profession and practice of internal auditing, and Rules of Conduct that describe behavior expected of internal auditors. The Code of Ethics applies to both the parties and the entities that provide internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the global profession of internal auditing. Compliance Adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements. Conflict of interest Any relationship that is, or appears to be, not in the best interest of the organization. A conflict of interest would prejudice an individual's ability to perform his or her duties and responsibilities objectively. Control Any action taken by management, the governing body and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.